Zendesk exploit allows phishing scams, CloudSEK reports

CloudSEK has published a new report detailing how cybercriminals exploit features of the Zendesk SaaS platform to impersonate brands, facilitating phishing and investment scams.

The research underscores the misuse of subdomain registration, a feature offered by Zendesk, which allows users to create subdomains. This capability, while useful for legitimate businesses to establish customer support systems, poses risks when exploited by malicious actors. These individuals can create subdomains that mimic real brands, launching phishing attacks that deceive users into giving away sensitive information or falling into investment scams. CloudSEK has alerted Zendesk about this vulnerability according to responsible disclosure protocols.

CloudSEK's examination into the issue highlights how the platform can be used in "pig butchering" scams. This specific type of fraud involves grooming victims to invest in fraudulent schemes over time. The methodology, as described by a CloudSEK researcher, involves creating a subdomain on Zendesk to impersonate a legitimate company. Given the ease with which subdomains can be set up without stringent verification, scammers find it relatively easy to deceive individuals.

The fraudulent use of Zendesk's infrastructure extends to sending phishing emails through its system. These emails, disguised as legitimate customer support communications, often include images hyperlinked to phishing pages. Because of the professional design of Zendesk's tools, many recipients believe these emails are authentic, allowing scammers to lure victims to fake investment or support pages.

CloudSEK has identified 1,912 questionable Zendesk subdomains since 2023. These subdomains are potentially linked to phishing and impersonation tactics. A significant concern is how Zendesk's reputable email status means messages sent through these domains are unlikely to be flagged as spam, often appearing in users' primary email inboxes.

The company notes the ease with which attackers can customise Zendesk subdomains, making them closely resemble actual company pages. This adds a layer of credibility to the fraudulent activities being perpetrated.

The implications of this issue extend beyond mere technological vulnerabilities. They touch upon the element of trust, as people naturally trust the brands they engage with online. However, when platforms like Zendesk are misused, the resultant financial and reputational damages can be severe. Victims of such phishing attacks risk losing money or inadvertently leaking confidential information, which could lead to more significant data breaches. Moreover, brands being impersonated in these scams face reputational harm and could lose their customers' trust.

To combat these risks, CloudSEK recommends organisations block suspicious subdomains and utilise advanced threat detection tools. Their XVigil platform offers businesses the capability to detect and respond to phishing domains, reducing associated risks effectively. Additionally, the importance of educating both employees and customers on recognising phishing tactics and verifying links remains crucial.

CloudSEK also suggests that platforms like Zendesk enforce stricter verification protocols to ensure the legitimacy of users creating subdomains.

Noel Varghese, Cybersecurity Researcher at CloudSEK, stated, "Zendesk's subdomain flexibility, while convenient, can be a double-edged sword. Threat actors can misuse it to mimic trusted brands, making phishing attacks more convincing and damaging, leading to financial loss and a breach of trust for businesses and their customers."